Test of Controls: When to Perform and How

By Charles Hall | Auditing

Apr 27

A test of controls is a response to the risk a material misstatement. Today, I tell you when to use this response and how. 

test of controls

Three Responses to the Risk of Material Misstatement

The audit standards provide three potential responses (further audit procedures) to the risk of material misstatement:

  1. Test of details
  2. Substantive analytical procedures
  3. Test of controls

Today we look at the third option.

Why Test Controls?

Which response to a risk of material misstatement (RMM) is best? That depends on what you discover in risk assessment.

If, for example, your client consistently fails to record payables, then assess the completeness assertion for control risk at high. Your response? Perform a search for unrecorded liabilities, a test of details.

Alternatively, if controls for payables are strong, you can assess control risk at less than high and test controls. If the test proves the controls are effective, you can perform fewer substantive tests, such as a search for unrecorded liabilities.

Assessing Control Risk at High

Many auditors assess control risk at high (after risk assessment is complete) and use a fully substantive approach. That is fine, especially in audits of smaller entities. Why? Because smaller entities tend to have weaker controls. As a result, controls may not be effective. And you may not be able to assess control risk at less than high. (Nevertheless, most entities do have some controls that are effective.)

Assessing Control Risk at Less Than High

Control risk assessments of less than high must be supported with a test of controls. Why? To prove effectiveness. But if controls are not effective, you must assess control risk at high. This is why you might bypass control testing. You know, either from prior experience or from current-year walkthroughs, that controls are not effective. And if you test controls and find they are ineffective, you are back to square one: a control risk assessment of high.  And now you must respond with either a test of details or substantive analytics, or a combination of the two. Testing ineffective controls is a waste of time. 

Nevertheless, if controls are effective, why not test them? Doing so allows you to reduce your substantive procedures (test of details or substantive analytics).

Once risk assessment is complete, the decision regarding responses (further audit procedures) is largely based on efficiency. If control testing takes less time, then test controls. If substantive procedures takes less time, then perform a test of details or use a substantive analytical approach. But, regardless of efficiency considerations, address all risks with appropriate responses.

Next, we’ll assume that controls are anticipated to be effective. And we’ll look at how to test controls.

How to Test Controls 

So you’ve decided to test controls for effectiveness. But how? Let’s look at an example starting with risk assessment.

Control Risk Assessment

Your approach to testing controls depends on risk identified during risk assessment. For example, your walkthrough reveals appropriate segregation of duties. And you also see that the client issues receipts for each payment. Additionally, total daily cash inflows are reconciled to the bank statement. In other words, controls are designed properly and they have been implemented. Also, as an example, you’ve determined completeness is a relevant assertion. Why? Theft is a concern. 

Control Test Supports Effectiveness

Now, it’s time to test for effectiveness. You’ve already determined segregation of duties is present. If necessary, make additional observations regarding who is doing what. And document those observations. If the client has an accounting handbook, see if there were any amendments to the control system during the period being audited. Why? You want to know if the segregation of duties was present throughout the year. Make additional inquires, if needed.

Additionally, re-perform the receipt controls on a sample basis. But before doing so, determine the controls you are testing and the sample size. For example, your sample size might be 60 receipts and the control being tested is the issuance of a receipt by an authorized person. Additionally, you might sample 25 daily reconciliations to the bank statement. Document this information including how you determined your sample sizes. Now perform your tests and document whether the controls are effective. If yes, leave your control risk at less than high. You have support for that lower risk assessment. Additionally, you can now perform fewer substantive tests. 

Test Doesn’t Support Effectiveness

If your test does not support effectiveness, expand your sample size and test additional receipts. Or you can punt on the testing controlsand move to a substantive approach. Regardless, if controls are not effective, consider the need to communicate the control deficiency

So, when should you test controls?

When to Test Controls

Here are two situations where you are required to test controls:

  • When there is a significant risk and you are placing reliance on controls related to that risk
  • When substantive procedures don’t properly address a risk of material misstatement

Allow me to explain.

Required Test of Controls

Auditing standards allow a three-year rotation for testing controls, as long as the area tested is not a significant risk. But if the auditor plans to rely on a test of controls related to a significant risk, operating effectiveness must be tested in the current period. Additionally, the auditor should perform substantive procedures responsive to the significant risk. And those substantive procedures must include a test of details.

Also a test of controls is necessary if substantive procedures don’t properly address a risk of material misstatement. For example, consider the controls related to reallocation of investments in a 401(k). The participant goes online and moves funds from one account to another. There are no humans involved in the process, other than the participant. When processes are fully automated, substantive procedures may not provide sufficient audit evidence. If that is your situation, you must test of controls. Thankfully, a type 2 service organization control report is usually available in audits of 401(k)s. Such a report provides evidence that controls have already been tested by the service organization’s auditor. And you can leverage (place reliance upon) those tests.

Three Year Rotation

As I said earlier, audit standards allow a three-year rotation for testing effectiveness. For example, if you test accounts payable controls in 2020, then you can wait until 2023 to test them again. In 2021 and 2022, you need to ensure that these controls have not changed. You also want to determine that those controls have continuing relevance in the current audit. How? See if the controls continue to address a risk of material misstatement. And as you perform your annual walkthroughs, inquire about changes, observe the controls, and inspect documents. Why? You want to know that everything is working as before. And, yes, you do need to perform those walkthroughs annually, if that is how you corroborate your understanding of controls.

In short, testing for effectiveness can occur every three years, in most cases. But risk assessment procedures (e.g., walkthroughs) must be performed annually.

So should tests occur at interim or after year-end?

Interim or Year-End Tests

Some auditors test after the period has ended. Others at interim. Which should you choose?

It depends.

If it fits better into your work schedule, perform interim test of controls. Here’s an example: You perform an interim test of controls on November 1, 2019. Later, say in February 2020, consider whether controls have changed during the last two months of the year. See if the same people are performing those controls. And consider performing an additional tests of controls for the November 1 to December 31 period. Once done, determine if the controls are effective. 

But testing on an interim date is not always the answer. For example, if management is inclined to manipulate earnings near year-end, then interim tests may not be appropriate. 

If you choose to test after year-end, then you’ll examine controls for the full period being audited. Your sample should be representative of that timeframe.

So should you ever test at a point in time and not over a period of time? Yes, sometimes. For example, you might test inventory count controls at year-end.

When auditors perform Single Audits, there is often confusion about testing internal controls. The requirements are different. So let’s take a look. 

Single Audit Test of Controls

Perform a test of controls in Single Audits, but don’t confuse this test with those discussed above. The guidance above is in regard to generally accepted auditing standards (GAAS). The Single Audit is another set of standards and has different requirements. In Single Audits, you plan the audit with a low control risk assessment and you test for effectiveness. (One exception: when controls are not present. Then report the control deficiency in the Single Audit report.) The efficiency decision permitted in GAAS (see above) is not in play for your Single Audit work.

The types of controls you are testing in a Single Audit are also different. Here you test controls related to compliance requirements such as allowability, eligibility, procurement, and reporting. Perform such tests for each major program compliance requirement that is direct and material. The compliance requirements are specified in the OMB Compliance Supplement. See parts 2 (Matrix of Compliance Requirements) and 3 (Compliance Requirements).


Well, can you see why testing controls is confusing? There’s a lot to think about. 

As I said above, many auditors tend to rely fully on substantive responses to the risks of material misstatement. But, in some cases, that may not be the best or wisest approach. If controls are designed well and functioning, why not test them? Especially if it takes less time than substantive procedures.

Finally, take a look at my two related articles regarding responses to the risk of material misstatement: (1) Test of Details: Substantive Procedures and (2) Substantive Analytics: Smart Audit Procedures.


About the Author

Charles Hall is a practicing CPA and Certified Fraud Examiner. For the last thirty years, he has primarily audited governments, nonprofits, and small businesses. He is the author of The Little Book of Local Government Fraud Prevention and Preparation of Financial Statements & Compilation Engagements. He frequently speaks at continuing education events. Charles is the quality control partner for McNair, McLemore, Middlebrooks & Co. where he provides daily audit and accounting assistance to over 65 CPAs. In addition, he consults with other CPA firms, assisting them with auditing and accounting issues.